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INTHE CLAIMS: 
Amended claims follow: 

1 . (Currently Amended) A system for identifying a macro virus 
family using a macro virus definitions database, comprising: 

a macro virus definitions database comprising a set of indices and macro 
virus definition data files with each index referencing one or more of the macro 
virus definition data files and each macro virus definition data file defining macro 
virus attributes for known macro viruses that are each comprised of at least one 
macrOj the sets of the indices and the macro virus definition data files being 
organized into a hierarchy according to macro virus families based on a type of 
application to which the macro appHes; 

a parser parsing a suspect file into tokens comprising one of individual 
string constants and source code text and storing the tokens as suspect strings into 
a hierarchical parse tree; 

a macro virus checker trav e rsing th e hiemrchical pars e tr ee to - r e tri e v e 
each susp e ct string - and -comparing theeach suspect string to the macro virus 
attributes defined in the one or more macro virus definition data files for each 
macro virus family in the macro virus definitions database and determining each 
macro virus family to which the suspect string belongs fi'om the index for each 
macro virus definition data file at least partially containing the suspect string; 

the macro virus checker parsing the macro virus attributes from one or 
more file objects and analvzini; the macro virus definition data files by index for 
each macro virus family: and 
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the macro virus checker iterativelv retrieving each macro virus definition 
data file using the index for each macro virus family and providing the macro 
virus attributes defined in the retrieved macro virus definition data file . 

2. (Original) A system according to Claim 1 , further comprising: 
the macro virus definition data files being indexed into the macro virus 

families categorized by a replication method employed, 

3. (Previously Amended) A system according to Claim 1, wherein the 
suspect string comprises part of the suspect file comprising a plurality of 
individual suspect strings. 

4. (Previously Amended): A system according to Claim 3, further 
comprising: 

the macro virus checker identifying a replication method common to a 
plurality of the individual suspect strings in the suspect file. 

5. (Original) A system according to Claim 4, fiirther comprising: 
the macro virus checker identifying the macro virus family by which the 

common replication method is indexed. 

6. (Original) A system according to Claim 1, further comprising: 
the macro virus definitions database storing string constants common to 

each macro virus family in the macro virus attributes for the macro virus 
definition data files; and 

the macro virus checker comparing the suspect string to the string 
constants in the one or more macro virus definition data files for each macro virus 
family. 

7. (Original) A system according to Claim 6, further comprising: 

a parameter specifying a threshold to matches of commonly shared string 
constants. 
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8. (Original) A system according to Claim 6, further comprising: 
a parameter specifying a minimum length of commonly shared string 

constants. 

9. (Original) A system according to Claim 1, further comprising: 
the macro virus definitions database storing source code text common to 

each macro virus family in the macro virus attributes for the macro virus 
definition data files; and 

the macro virus checker comparing the suspect string to the source code 
text in the one or more macro virus definition data files for each macro virus 
family. 

10. (Original) A system according to Claim 9, further comprising: 

a parameter specifying a threshold to matches of commonly shared source 
code text. 

1 1 . (Original) A system according to Claim 9, further comprising: 
a set of keywords used in the stored source code text to identify each 

replication method employed. 

12. (Original) A system according to Claim 1, further comprising: 

the macro virus checker resetting the index referencing one or more of the 
macro virus definition data files for at least one macro virus family and creating a 
new macro virus definition data file entry comprising an index referencing one or 
more macro virus definition files. 

13. (Original) A system according to Claim 12, further comprising: 
the new macro virus definition data file entry defining the macro virus 

attributes by storing at least one of a string constant and source code text. 

14. (Cancelled) 
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1 5. (Currently Amended) A system according to Claim 441, further 
comprising: 

the macro virus checker cross referencing at least one of a string constant 
and source code text from the parsed macro file attributes against the macro virus 
attributes defined in the virus definition data files. 

16. (Cancelled) 

17. (Currently Amended) A method for identifying a macro virus 
family using a macro virus definitions database, comprising: 

maintaining a macro virus definitions database comprising a set of indices 
and macro virus definition data files with each index referencing one or more of 
the macro virus definition data files and each macro virus definition data file 
defining macro virus attributes for known macro viruses that are each comprised 
of at least one macro; 

organizing the sets of the indices and the macro virus definition data files 
into a hierarchy according to macro virus families based on a type of application 
to which the macro applies; 

parsing a suspect file into tokens comprising one of individual string 
constants and source code text and storing the tokens as suspect strings into a 
hierarchical parse tree; 

trav e rsin g tlic hiororohical pars e tr ee to r e tri e v e e ach suspoot string and 
comparing th eeach the suspect string to the macro vims attributes defined in the 
one or more macro virus definition data files for each macro virus family in the 
macro virus definitions database; and 

determining each macro virus family to which the suspect string belongs 
fi^om the index for each macro virus definition data file at least partially 
containing the suspect string; 

parsine the macro virus attributes from one or more file objects and 
analvzing the macro virus definition data files bv index for each macro virus 
familv; and 



PAGE 12/24 ' RCVD AT G/1 0/2005 0:56:04 PM [Eastern Daylight Time] * SVR:USPTO-EFXRF-1/0 * DNIS: 8729300 * 0810:408 971 4660 * DURATION (mm-ss):07-32 



Jun 10 05 03:59p SVIPG 



408 971 4660 



p. 13 



-6- 

iterativelv retrieving each macro virus definition data file using the index 
for each macro virus family and providing the macro virus attributes defined in 
the retrieved macro virus definition data file . 

1 8. (Original) A method according to Claim 1 7, further comprising: 
indexing the macro virus definition data files into the macro virus families 

categorized by a replication method employed. 

19. (Previously Amended) A method according to Claim 1 7, further 
comprising: 

providing the suspect string as part of the suspect file comprising a 
plurality of individual suspect strings. 

20. (Previously Amended) A method according to Claim 19, further 
comprising: 

identifying a replication method common to a pluraHty of the individual 
suspect strings in the suspect file. 

2 1 . (Original) A method according to Claim 20, further comprising: 
identifying the macro \'irus family by which the common replication 

method is indexed. 

22. (Original) A method according to Claim 17, fiorther comprising: 
storing string constants common to each macro virus family in the macro virus 
attributes for the macro virus definition data files; and 

comparing the suspect string to the string constants in the one or more 
macro virus definition data files for each macro virus family. 

23. (Original) A method according to Claim 22, further comprising: 
applying a threshold to matches of commonly shared string constants. 

24. (Original) A method according to Claim 22, further comprising: 
designating a minimimi length of commonly shared string constants. 
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25 . (Original) A method according to Claim 1 7, further comprising: 

storing source code text common to each macro virus family in the macro 
virus attributes for the macro virus definition data files; and 

comparing the suspect string to the source code text in the one or more 
macro virus definition data files for each macro virus family. 

26. (Original) A method according to Claim 25, further comprising: 
applying a threshold to matches of commonly shared source code text. 

27. (Original) A method according to Claim 25, further comprising: 
defining a set of keywords used in the stored source code text identifying each 
rephcation method employed. 

28. (Original) A method according to Claim 1 7, further comprising: 
resetting the index referencing one or more of the macro virus definition 

data files for at least one macro virus family; and 

creating a new macro virus definition data file entry comprising an index 
referencing one or more macro virus definition files. 

29. (Original) A method according to Claim 28, further comprising: 
defining the macro virus attributes for the new macro virus definition data 

file entry by storing at least one of a string constant and source code text. 

30. (Cancelled) 

3 1 . (Currently Amended) A method according to Claim 3017, further 
comprising: 

cross referencing at least one of a string constant and source code text 
from the parsed macro file attributes against the macro virus attributes defined in 
the virus definition data files. 

32. (Cancelled) 
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33 . (Currently Amended) A computer-readable storage medium 
holding code for performing the method according to Claims 17, 18, 19, 22, 25? or 
28 > 30, or 33 . 

34. (Currently Amended) A system for identifying a macro virus 
family using a macro virus definitions database, comprising: 

a macro virus definitions database comprising a set of indices and 
associated macro virus definition data files, further comprising: 

one or more of the macro virus definition data files referenced by 
the associated index with each macro virus defmition data file defining macro 
virus attributes for known macro viruses that are each comprised of at least one 
macro; 

a hierarchy organized according to a macro family to which each 
of the sets of the indices and tiie macro virus definition data files belong based on 
a type of application to which the macro applies; 

a parser parsing a suspect file into tokens comprising one of individual 
string constants and source code text and storing the tokens as strings into a 
hierarchical parse tree; 

a macro virus checker trav e r s ing tho hierarchical paro e tr ee to - r e tri e v e th e 
strings and comparing one or more strings stored in a suspect file to the macro 
virus attributes defined in the one or more macro virus definition data files for 
each macro virus family in the macro virus definitions database and determining 
the macro virus family to which the suspect file belongs from the indices for each 
of the macro virus definition data files at least partially containing the suspect file; 

the macro virus checker parsing macro virus attributes fi-om one or more 
file objects and analyzing the macro virus definition data files by index for each 
macro virus family; and 

the macro virus checker iterativelv retrieving each macro virus definition 
data file using the index for each macro virus family and providing the macro 
virus attributes defined in the retrieved macro virus definition data file. 



PACE 1«24 " RCVD AT B/10/2003 6:56:04 PM CEastem Daylight Tlmel • 8VR:USPTO-EFXRF-1/0 * DNIS:8729306 • CSID:408 971 4660 • DURATION (mm-ss): 07-32 



Jun 10 05 04:00p SVIPG 



408 971 4660 



p- 16 



-9- 

35. (Previously Amended) A system according to Claim 34, further 
comprising: 

each macro virus family defined according to a replication method common to 
each of the macro virus definition data files associated with one such index. 

36. (Original) A system according to Claim 34, further comprising: 

the macro virus definitions database storing at least one of string constants and 
source code text common to each macro virus family in the macro virus attributes for the 
macro virus definition data files; and 

the macro virus checker comparing the suspect string to the at least one of the 
string constants and the source code text in the one or more macro virus definition data 
files for each macro virus family. 

37. (Original) A system according to Claim 36, further comprising: 
the macro virus checker applying a threshold to matches of at least one of 

commonly shared string constants and commonly shared source code text. 

38. (Original) A system according to Claim 36, further comprising: 

the macro virus checker designating a minimum length of commonly shared 
string constants. 

39. (Currently Amended) A method for identifying a macro virus family using 
a macro vims definitions database, comprising: 

maintaining a macro virus definitions database comprising a set of indices and 
associated macro virus definition data files, further comprising: 

referencing one or more of the macro virus defmition data files by the 
associated index with each macro virus definition data file defining macro vims attributes 
for known macro viruses that are each comprised of at least one macro; 

organizing the sets of the indices and the macro virus definition data files into a 
hierarchy according to macro virus families based on a type of application to which the 
macro applies; 
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parsing a suspect file into tokens comprising one of individual string constants 
and source code text and storing the tokens as strings into a hierarchical parse tree; 

tmvorsing tho hiorarchioal par se tr ee to r e tri e v e- tho stringG and comparing the 
strings to the macro virus attributes defined in the one or more macro virus definition 
data files for each macro virus family in the macro virus definitions database; 

detennining the macro virus family to which the suspect file belongs fix>m the 
indices for each of the macro virus definition data files at least partially containing the 
suspect file; 

parsing macro virus attributes firom one or more file objects and analyzing the 
macro virus definition data files by index for each macro virus familv: and 

iterativelv retrieving each macro virus definition data file using the index for each 
macro virus familv and providing the macro virus attributes defined in the retrieved 
macro virus definition data file . 

40. (Previously Amended) A method according to Claim 39, further 
comprising: 

defining each macro virus family according to a replication method common to 
each of the macro virus definition data files associated with one such index, 

41 . (Original) A method according to Claim 39, further comprising: 

storing at least one of string constants and source code text common to each 
macro virus family in the macro virus attributes for the macro virus definition data files; 
and 

comparing the suspect string to the at least one of the string constants and the 
source code text in the one or more macro virus definition data files for each macro virus 
family. 

42. (Original) A method according to Claim 41, further comprising; applying 

a threshold to matches of at least one of commonly shared string constants and commonly 
shared source code text. 
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43. (Original) A method according to Claim 41, further comprising: 
designating a minimum length of commonly shared string constants, 

44. (Original) A computer-readable storage medium holding code for 
performing the method according to Claims 39, 40, or 4L 
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